A Fault Tolerant Colored Petri Net Model for Flexible Manufacturing Systems

Barros, Tomaz C.; Figueiredo, Jorge C.A. de; Perkusich, Angelo

doi:10.1590/S0104-65001997000300002

Abstract

This paper introduces an approach based on Colored Petri Nets (CPN) to systematically introduce fault-tolerance in the design of a supervisor for a Flexible Manufacturing System (FMS). The system is modeled by means of Place/Transition nets and then is structurally reduced, resulting in a CPN that is independent of a specific production route. The introduction of fault tolerance in the design of such a supervisor considers both forward recovery and backward recovery. For forward recovery we anticipate faults in resources in a production route and reschedule the production routes for production orders before the faulty resource is reached. The backward recovery is considered at the level of a resource in such a way that when a faulty resource is fixed, the operation restarts on the last consistent operation executed

Fault Tolerance; Forward Recovery; Backward Recovery; Flexible Manufacturing Systems; Colored Petri Nets

A Fault Tolerant Colored Petri Net Model for Flexible Manufacturing Systems

Tomaz C. Barros^*
Departamento de Eletrônica e Sistemas
Universidade Federal de Pernambuco
Caixa Postal 7800, 50711-970
Recife - PE - Brazil
tomaz@dee.ufpb.br Jorge C.A. de Figueiredo
Departamento de Sistemas e Computação
Universidade Federal da Paraíba
Caixa Postal 10105, 58109-970
Campina Grande - PB - Brazil
abrantes@dsc.ufpb.br Angelo Perkusich
Departamento de Engenharia Elérica
Universidade Federal da Paraía
Caixa Postal 10105, 58109-970
Campina Grande - PB - Brazil
perkusic@dee.ufpb.br Abstract This paper introduces an approach based on Colored Petri Nets (CPN) to systematically introduce fault-tolerance in the design of a supervisor for a Flexible Manufacturing System (FMS). The system is modeled by means of Place/Transition nets and then is structurally reduced, resulting in a CPN that is independent of a specific production route. The introduction of fault tolerance in the design of such a supervisor considers both forward recovery and backward recovery. For forward recovery we anticipate faults in resources in a production route and reschedule the production routes for production orders before the faulty resource is reached. The backward recovery is considered at the level of a resource in such a way that when a faulty resource is fixed, the operation restarts on the last consistent operation executed.

Keywords: Fault Tolerance, Forward Recovery, Backward Recovery, Flexible Manufacturing Systems, Colored Petri Nets.

1 Introduction

Flexible Manufacturing Systems (FMS) are complex systems made up of manufacturing cells with different kinds of resources. These resources may be one or more machines, e.g. drilling machines, lathes: Between cells and machines there is a flow of semi finished products (in the remainder of the paper the term sub-product will be employed) or raw material that may be transported by either robots or automated guided vehicles [2]. The raw material or sub-products are processed by the resources resulting in a certain kind of product. Each cell or machine must be capable of manipulating different sub-products, resulting in some final finished product. This flexibility introduces a significant degree of complexity to allocate and manage the resources required to produce different kinds of products. The task to allocate and manage resources is rather complex [11], specially considering that the nature of the managed resource activities are concurrent, parallel, with synchronous and asynchronous behavior. Also, the managed resources may be shared, therefore needing conflict resolution strategies [3, 4, 21].

In an FMS a production route is physically possible when, considering a given set of resources, it leads to a product. Apart from the allocation of a resource, a control system for such a system, named supervisor, must be able to manage resources. To do so, the supervisor exchanges information (messages) with each managed resource [10, 18, 19]. Among other things, these messages carry the specification of the sub-product and status information. To promote this message exchange, the supervisor must be capable of programming the resource to operate as specified for each sub-product and recognize if the resource can be allocated to the sub-product under consideration. Also, it must recognize the end of a task and recognize a fault [1, 6]. When a resource fails, all the routes containing the resource must be disabled, leading in most cases to an inadmissible low level of production. In order to cope with faults, the supervisor must be able to reschedule routes containing the faulty resource.

In this paper we introduce an approach to systematically obtain the global model of an FMS based on Place/Transition Nets [15]. Since this model can be very large for complex systems, we show how this model can be reduced based on the concepts of Colored Petri Nets (CPN) [12] to obtain a reduced global model of the system, from the resources perspective. This CPN model is a general model in the sense that it is independent of production routes. We also introduce a fault tolerant model for such an allocation and management system. Fault tolerance must be considered with the objective to provide means by which the supervisor can recover itself from a fault. Also the design of such a supervisor must be kept as simple as possible. In order to accomplish these design goals, we structure the rescheduling of routes in order to consider three different kinds of situations: intra-cell rescheduling, inter-cell rescheduling, and rescheduling on the entry buffer.

Also considering the need of high availability and performance in order to guarantee the defined throughput for an FMS, the introduction of fault tolerance in the design of such a supervisor considers both forward recovery and backward recovery. For forward recovery we anticipate faults in the resources in a production route and reschedule the production routes for production orders before the faulty resource is reached. The backward recovery is considered at the level of a resource in such a way that when a faulty resource is fixed the operation restarts on the last consistent operation executed.

Considering formal methods to analyze and introduce fault-tolerant properties in computer systems, Petri nets are among the most applicable. This is because, using Petri nets, it is possible to unify the modeling of software, hardware and environmental aspects by using one formalism. Petri nets have been used as a formal method to analyze and introduce fault tolerant properties in the design of software systems [5, 7, 8,9, 13, 14, 16, 17].

The rest of this paper is organized as follows. In Section 2 we introduce some basic definitions for Flexible Manufacturing Systems as well as for Place/Transition nets and Colored Petri Nets. In Section 3 we detail the modeling approach adopted in this paper as well as how the structure of the model of an FMS based on Place/Transition nets can be reduced using CPNs. In Section 4 we discuss the introduction of fault tolerance in the design of the supervisor considering both forward and backward recovery by obtaining a fault-tolerant CPN model. Finally, in Section 5 we present conclusions.

2 Background Issues

In this section we introduce the basic definitions adopted in this paper for Flexible Manufacturing Systems, as introduced in [3, 4] and the basic concepts related to Place/Transition nets and Colored Petri Nets.

2.1 Flexible Manufacturing Systems

In Figure 1 the layout for an FMS and its main components are shown. As can be seen, the FMS consists of four manufacturing cells, each one with two machines. For each cell, for each machine and for the FMS there is a pair of buffers (entry buffers are identified by the prefix eb and output buffers are identified by the prefix ob). These buffers are used to store either raw-material (entry buffer for the FMS, eb), sub-products (all other buffers), and finished products (output buffer for the FMS, ob). In the rest of the paper the following definition for an FMS is adopted.

Figure 1: Layout example for an FMS

Definition 2.1 A Flexible Manufacturing System is 7-tuple (P, B,V, C, M, R, H), where:

1. P = {p₁, p₂, ... , p_i, ... , p_n} is a finite and non empty set of products.

2. B = {b₁, b₂, ... , b_i, ... , p_n}is a finite and non empty set of buffers.

3. V = {v₁, v₂, ... , v_i, ... , b_n} is a finite and non empty set of transport elements.

4. C = {c₁, c₂, ... , c_i, ... , c_n} is a finite and non empty set of cells.

5. M = {m₁, m₂, ... , m_i, ... , m_n} is a finite and non empty set of machines.

6. R = {r₁, r₂, ..., r_i, ... , r_n} is a finite and non empty set of resources.

7. H = {h₁, h₂, ... , h_i, ... , h_n} is a finite and non empty set of production routes.

A product p_i

P is the result of raw material transformations from the entry to the end point of an FMS and a sub-product is an intermediate processing stage. A buffer b_i

B is a region in the FMS used as storage and distribution point for sub-products.

A buffer b_i

B is defined by: eb) entry buffer for the system storing raw material; ob) output buffer for the system, used to store all finished products; ebc_i) entry buffer for a cell c_i

C, used to store sub-products; obc_i) output buffer for a cell c_i

C, used to store sub-products; ebm_i) entry buffer for a machine m_i

M, used to store sub-products; obm_i) output buffer for a machine m_i

M, used to store sub-products.

In the example shown in Figure 1, the transportation elements belonging to the set V are the four robots (rc₁, rc₂, rc₃, and rc₄), and automated guided vehicles (AGV₁ trough AGV_n). Robots are used to move sub-products within a manufacturing cell (intra-cell transport), and AGVs are responsible to move sub-products among cells and raw-material from the entry buffer of the FMS (eb) and finished products to the output buffer of the FMS (ob). The thicker grey line represents the route for the AGVs.

Each cell c_i

C defines a region in the FMS which may contain one or more machines. Each machine m_i

M may have more than one resource. A resource r_i

R is that part of a machine allocated to process either a sub-product or raw material. Observe that P is the set of all products that can be manufactured based on the set of available resources.

Definition 2.2 A path defined by a finite sequence of resources, from the entry buffer in the system (eb) to the output buffer (ob) resulting in a given product p_i

P is called production route, and is denoted by h.

For the example shown, the rest of the elements are identified as follows:

P = {p₁, p₂, p₃}, is the set of products.

B = {eb, ob, ebc₁, obc₁, ... , ebc₄, obc₄,ebm₁, obm₁, ... , ebm₈, obm₈}, is the set of buffers.

C = {c₁, c₂, c₃, c₄}, is the set of cells.

M = {m₁, m₂, ... , m₇, ... , m₈}, is the set of machines.

R = {r₁, r₂, ... , r₇, ... , r₈}, is the set of resources.

H = {h₁, h₂, h₃}, is the set of production routes.

For instance h₂ = r₂r₄r₅r₇, is a production route.

In order to illustrate the operation of the system, consider that the route h₂ (shown in Figure 1 as a dashed line) results in the production of bolts (product p₂), as shown in Figure 2. To produce a bolt, five states are necessary:

1. Raw-material is transported to resource r₂, where it is processed and resulting in subproduct₁. In order to process the raw-material, the resource has to be programmed with the external radius a of the bolt and the width w. Therefore the data sent by the supervisor to the resource is (D_p1 = (a),(w)).

2. subproduct₁ is transported to resource r₄ where it is processed and resulting in subproduct₂. The data sent to this resource by the supervisor is the length of the side of the bolt (D_p2 = l).

3. subproduct₂ is transported to resource r₅ where it is processed and resulting in subproduct₃. The data sent to this resource by the supervisor is the internal radius of the bolt (D_p3 = b).

4. subproduct₃ is transported to resource r₅ where it is processed and resulting in subproduct₄. The data sent to this resource by the supervisor is is the type of thread of the bolt (D_p4 = N f).

5. subproduct₄ is transported to output buffer (ob), yielding the finished product p₂.

Details related to the architecture supporting the control of an FMS, based on the above definitions can be found in [3, 4].

Figure 2: Bolt production

2.2 Place/Transition Nets and Colored Petri Nets

Definition 2.3 A Place/Transition net is a tuple N = (P, T; F, K, W, M₀), and is denoted by P/T net, where:

1. (P, T; F) is a net where P-elements are called places and T-elements are called transitions.

2. K : P

{} is a capacity function.

3. W : F is a weight function.

4. M₀

is an initial marking function satisfying : M₀(p) K(P).

A P/T net such that : K(p) = and : W (f) = 1 can be denoted simply by N = (P, T; F, M₀) and is called an ordinary Petri net.

Definition 2.4 Given a P/T N = (P, T;F, K, W, M₀) be a P/T net, the transition rule is defined as follows:

1. A function is called a marking of N iff .

2. A transition is enabled at M iff .

3. If is a transition which is enabled at a marking M, then t may occur, yielding a new marking given by the equation:

.

4. The occurrence or firing of t changes the marking M into the new marking , and is denoted by

5. is the (forward) reachability class, and is defined as the smallest set of markings of N such that , and if and for some , then

This firing rule determines the behavior of a P/T net in terms of system states (markings) and their changes. A marking is represent by the transpose of a column vector, e.g., , where is the marking of place It allows the simulation of the dynamic behavior of a system modeled by a P/T net. When a transition is enabled, it can fire or occur. When the transition occurs, tokens are removed from input places and placed in the output places.

Definition 2.5 A Colored Petri Net (CPN) [12] is a tuple , satisfying the requirements:

1. is a finite set of non-empty color sets

2. P is a finite set of places

3. T is a finite set of transitions

4. A is a finite set of arcs such that

5. N : is a node function

6. is a color function

7. EXPRESSIONS is a guard function, such that : [Type(G(t)) = BOOLEAN Type(Var(G(t))) ]

8. EXPRESSIONS is an arc expressions function such that : [Type(E(a)) = C(p(a))_MS

Type(Var(E(a))) ] where p(a) is the place of N(a).

9. EXPRESSIONS is the initialization expression function such that : [Type(I(p))=C(p)_MS

I(p) is closed]

It should be noted that the syntax and semantic of the language used to the net expressions are not presented, and it is assumed the existence of such a language, according to the same restrictions stated by Jensen [12] in the formal definition of CPN. The CPN-ML language as defined in [20] is used.

3 Modeling Procedure

Given an FMS as defined in Section 2 and the example shown, we now present the modeling procedure for the supervisor. Observing the layout in Figure 1, it is possible to see that a route is defined by segments (paths), and these segments may be paths among cells defined as inter-cell routes and the other segments are intra-cell routes.

Inter-Cell Routes are: T1) Raw-material deposited in the entry buffer eb for the system is distributed to the entry buffers ebc_i of any cell c_i; T2) Sub-products in the output buffer obc_i of a cell c_i can be transported to the output buffer ob of the system; T3) Sub-products in the output buffer obc_i of a cell c_i can be transported to the entry buffer ebc_j of any cell c_i.

Intra-cell Routes are: T4) Sub-products in the entry buffer ebc_i for any cell c_i are transported to the entry buffer ebm_j of any machine m_j in the cell c_i; T5) Sub-products in the output buffer obm_j of any machine can be transported to the output buffer obc_i of the cell c_i; T6) Sub-products in the output obm_j buffer of a machine m_j can be transported to the entry buffer ebm_l of another machine m_l in the same cell c_i.

Therefore, the supervisor must consider the type of routes (T1 to T6) as introduced above in order to model any route in the space of routes H for the FMS considered.

3.1 Top-Down Model of an FMS

A top-down modeling procedure is adopted to obtain the model for the supervisor. We consider three different models, namely, model for inter-cell routes, model for intra-cell routes, and model resource allocation. To obtain the model the following rules are employed:

Inter-Cell Routes (Rule 1): inter-cell routes are modeled according to the transport function as well as the buffers eb, ob, ebc, and obc. In Figure 3 showns the model for inter-cell routes. Places model these buffers, while transitions model the transport events among cells.

Intra-cell Routes(Rule 2): intra-cell routes are modeled according to the transport functions as well as the buffers ebc, obc, ebm, and obm. In Figure 4 it is shown the model for intra-cell routes. Places model these buffers, while transitions model the transport events among machines in a given cell.

Resource Allocation (Rule 3): the resources of the system are modeled, including the entry buffer ebm_i and output buffer obm_i for each machine. In Figure 5 the model for the resources is shown. Places model the buffers, while the transitions model the allocation and release of a given resource.

It is important to point out that in the case of the transitions for the models for inter-cell and intra-cell routes the events may or may not always generate commands to the transportation system. The routes define the behavior of the model for the supervisor and not necessarily of the transportation system, that is not modeled in this paper. This consideration is necessary when considering the recovery of the supervisor in the case of faults, as discussed later on. The global P/T model is shown in Figure 6, and is obtained by the fusion of places and transitions with the same name for the three models presented.

Figure 3: Model for inter-cell routes (rule1) for the FMS shown in figure 5

Figure 4: Model for intra-cell routes (rule2) for the FMS showm in Figure

Figure 5: Model for resource allocation (rule 3) for the FMS shown in Figure 5

Figure 6: Global P/T model

3.2 CPN Model

As can be seen from Figure 6, the structure of the model can be rather complex. Therefore, we introduce an approach to obtain a CPN model for the the allocation and management supervisor for an FMS. Basically we fold common parts in the structure of the Place/Transition net to obtain the equivalent CPN. For the example discussed in this paper the reduced model is shown in Figure 7. In this model, places and transitions have the following meaning:

Places: places PE and PS model the entry (eb) and output (ob) buffers for the system; places PEC and PSC model the entry (ebc) and output (obc) for the cells; places PEM and PSM model the entry (ebm) and output (obm) buffers for the machines. Places PA and PF model the status of a resource. A token in PA indicates that the resource is busy, and a token in PF indicates that the resource is free.

Transition: transition TEC represents the transport of sub-products or raw material from the entry buffer for the system (eb) to the entry buffer for the cells (ebc); transition TSC represents the transport of sub-products from the output buffer for the cells (obc) to output buffer (ob) for the system; transition TEM represents the transport of sub-products from the entry buffer for the cells (ebc) to entry buffer (ebm) for the machines; TSM represents the transport of sub-products from the output buffer for the machines (obm) to output buffer (obc) for the cell; TPC represents the transport of sub-products from the output buffer for the cells (obc) to entry buffer (ebc) for another cell; TPM represents the transport of sub-products from the output buffer for the machines (obm) to the entry buffer (ebm) for another machine; TER represents the allocation of a resource; TSR represents the release of a resource.

In order to obtain the CPN model we transform the production routes, formed by a list or resources ri in a list formed by the elements of the type (ci, ri, Dpi), where ci is the cell containing the resource ri, and Dpi represents the programming data specifying a certain subproduct_i. This list has the following definition:

List = [(c1, r1, Dp1), (c2, r2, Dp2), ...,(ck, rk, Dpk)]

The entry place for the net, that is place PE has an initial marking corresponding to the following information: (product1, List1) + (product2, List2) + + (productk, Listk), where productk specifies a production order on one item of product k, and Listk specifies the production route for product k. In the case of the example of Figure 3, we could have the following initial marking: (p3,[(c1, r1, Dp1),(c4, r8, Dp2)]). That is, the system has to produce one item of product p3.

Figure 7: Structure of the CPN for the global model

The color P is defined for all the places, except place PF whose color is R. The variables ci, and List are used to solve conflicts between transition TPM and TSM and transition TPC and TSC, respectively. In the case that a sub-product is transported to another machine in the same cell, that is ci = cj, then transition TPM occurs, otherwise transition TSM occurs. In case when a sub-product had used all the resources defined in its production route, that is List = nil, transition TSC occurs, otherwise transition TPC occurs, and the sub-product is transported to another cell. Observe that, in Figure 8, after the occurrence of transitions TPM and TSM, the head of the List (ci, ri, Dpi) is removed, indicating that the resource ri was already used. Also, transition TER only occurs if the guard [r = ri] is satisfied, that is, resource ri is free. Analogously, transition TSR occurs if the guard [ri = rm] is satisfied, that is the resource rm was released. When transition TER occurs, a resource ri is allocated to a given sub-product and a command or message with the data, Dpi, to program the resource is sent to it. Also, transition TSR occurs only if a resource is released. Therefore, the supervisor must look for a message of the type rm in order to be informed if the resource rm is no longer being used. These two operations can be seen as the synchronization between the supervisor and the resource and is represented by the dotted lines in Figure 8. Observe that this is not a part of the model.

4 Fault Tolerant Model

Considering that for each item to be produced a production order is placed to the FMS, represented by a token in place PE (see Figure 8), and for the system to deliver the best possible throughput, one must consider how to tolerate a resource failure along the production route defined in the token. This consideration guides our strategy to introduce forward recovery by anticipating these failures and rescheduling the production orders in the entry buffer eb for the FMS as well as for all sub-products stored in the buffers of the cells and/or resources (machines) along the production route. This approach guarantees that the raw-material and sub-products for a given set of production orders will not wait in the above-mentioned buffers while the resource that failed is not fixed. Based on this requirement, we structure the forward recovery by considering the rescheduling possibilities.

It is also important that as soon as a resource is fixed it must restart the processing either the raw-material or a sub-product in the last consistent operation. The objective of this backward recovery is to save raw-material.

Figure 8: CPN model for supervisor

4.1 Forward Recovery

Let r_i and be resources in the FMS such that , that is, r_j is a replica for r_i and r_i failed; we define four cases for route rescheduling as we discuss below. For all the four cases, the dashed lines correspond to the behavior of the supervisor, while solid lines represent the behavior of the transport system. It is important to point out that these two different routes, one for the supervisor and the other for the transport system, are necessary to keep the design of the supervisor with fault tolerance simple and efficient from the computational point of view.

4.1.1 Case 1

When the resources r_i and r_j are in the same cell and the route h directly includes r_i (see Figure 9). In this case all sub-products stored in buffer ebm_i are moved to buffer ebm_j (the entry buffer of the replica). The route h for each production order including the faulty resource r_i in the entry buffer for the cell (ebc_i) is rescheduled to the replica resource r_j by moving all the orders to the entry buffer of machine m_j.

Figure 9: Rescheduling for Case 1

4.1.2 Case 2

When the faulty resource r_i and its replica r_j are in the same cell and the route directly involves r_i (see Figure 10). In this case, the supervisor reschedule the routes involving the faulty resource to the replica. This rescheduling is accomplished by sending orders to the transport system to move all production orders from buffer ebm_i to the buffer ebm_j. Also, all the sub-products in the output buffer obm_k are rescheduled to the the buffer ebm_j. From the buffer obm_j each sub-product is transported to the output buffer of the cell c_i or to other machine in this cell.

Figure 10: Rescheduling for Case 2

4.1.3 Case 3

When the faulty resource r_i and its replica r_j are not in the same cell and the route directly involves r_i (see Figure 11). Then we have two scenarios, one shown in Figure 11.a and the other shown in Figure 11.b. For the first scenario, the production orders are rescheduled from the output buffer obc_k in a cell c_k to the cell c_j containing the replica resource r_j in the cell c_j, also all the sub-products already in the entry buffer ebc_iand the entry buffer for resource r_i in cell c_i are rescheduled to the entry buffer ebc_j of cell c_j. For the second scenario the production orders are rescheduled from the entry buffer for the system eb to the cell c_j containing the replica resource r_j in cell c_j, also all the sub-products already in the entry buffer ebc_iand the entry buffer ebm_i for resource r_i in cell c_i are rescheduled to the entry buffer ebc_j of cell c_j.

4.1.4 Case 4

For this case the faulty resource r_i and the replica r_j are in different cells and the route includes a resource r_k in the same cell c_i of the faulty resource r_i (see Figure 12). In this case all the sub-products in the output buffer obm_k of the resource r_k and in the input buffer ebm_i of machine m_i are rescheduled to the entry buffer ebc_jand to the entry buffer ebm_j of the replica resource r_j in cell c_j.

4.1.5 Rescheduling of Trajectories

Considering the possibility of having redundant routes in the system resulting in the same type of finished product. This case happens when some or all the resources defining a route are redundant. This fact serves to justify fault-tolerance for the resources of the system. In what follows we formalize the fault-tolerance concept.

Definition 4.1 Let be distinct resources belonging to an FMS, if r_i is a replica of s_i, then r_i can execute the same functions as s_i, that is

Definition 4.2 Let h_i be a route belonging to the route space of an FMS, the number of elements in h_i is

Definition 4.3 Let h_u and h_v be two different routes of an FMS, h_v is equivalent to h_u, denoted by iff: and and

Theorem 4.1 Let h_u = r₁ ... r_i, ... r_n and h_v = s₁, ... s_i ... s_n be two different routes for an FMS, if , then there exists at least one resource s_i, such that

Theorem 4.2 Let h_u = r₁ ... r_i ... r_n and h_v = s₁ ... s_i ... s_n be two different routes for an FMS. If and h_u is k-resilient, then there exist at least k resources s_i such that , where

Theorem 4.3 Let h_u = r₁ ... r_i ... r_n and h_v = s₁...s_i ... s_n be two different routes for an FMS. If and , then where

As an example of the application of Theorem 4.3 let us consider the route h₂ resulting in the product p₂ (see Figure 1), that is h₂ = r₂r₄r₅r₇

p₂. Suppose that there exists in the route space H one route h_v= r₂r₃r₅r₇

p₂ such that

Supposing that the resource r₄ failed, the application of Theorem 4.1 implies r₄

r₃, that is r₃ is a replica for r₄. Therefore, according to Theorem 4.3 we have r₂r₄r₅r₇

r₂r₃r₅r₇, and consequently r₂r₃r₅r₇

p₂. Thus, route h₂ may be rescheduled for the new one h_v = r₂r₃r₅r₇, resulting in the same product p₂. In , we can see that the sub-products are transported from the buffer ebm₄ to the buffer obm₄, without being processed by r₄, because it failed. From the buffer obm₄ sub-products are transported to the buffer ebm₃, which is the entry buffer for the resource r₃, that is a replica for r₄. Compare route h_v shown in with route h₂ shown as a dashed line in .

4.2 Fault Tolerant CPN Model

In order to be fault-tolerant, the supervisor must re-cognize when a resource failed and reschedule all the routes involving it according to the four cases previously discussed. The supervisor must also be able to detect when the resource are fixed so that it can be considered again in a given route.

At any instant of time, we may have in any place of the CPN model, (except place PF), tokens with the field (p,((c_i, r_i, s_i, D_pi) :: List)).

In order to implement the fault-tolerant supervisor, we assume that any resource can execute the following functions:

1. Serve as an interface to the supervisor.

2. Receive the programming data D_pi.

3. Reinitialize the resource r_i after it has been recovered from a fault.

4. Send messages to the supervisor in order to inform the status s_m of the resource.

5. Send messages to the supervisor informing that a resource r_m has finished a task and is free.

Considering the model for the fault-tolerant supervisor, when any of the transitions TER, TFO, and TSR occur, the following takes place:

1. When transition TER occurs a resource r_i has completed its operation, therefore a message m_s0 (r_i, D_pi) is sent when TER occurs, where D_p are the programming data for the resource r_i specifying a given sub-product.

2. The transition TFO occurs only when a message with format m_go (r_m, s_m) is received.

3. Upon receiving a message with format m_g1 (r_m), indicating that the resource finished the operation, transition TSR occurs.

In order to tolerate faults, each place, except PF, must get a token with the following information:

Field P: specifies an element that is the type of product to be manufactured.

Field L: contains a list of elements (c_i, r_i, s_i, D_pi), where:

1 c_i specifies the cell containing the resource r_i.

2 s_i specifies the status of an operation. When s_i = 0 at the end of an operation, that resource completed the operation successfully. Otherwise, s_i = 1, implying that the resource failed. This indicates to the supervisor that it should reschedule routes involving this resource.

3 D_pi is the programming data as discussed before.

The fault tolerant CPN model is shown in Figure 14, where places and transitions have the same meaning and the color sets and variables are as declared for the model shown in Figure 8. Places PAR and PVS and transitions TET and TET1 have the following meaning:

PAR: a token in this place indicates that a resource is allocated for an operation.

PVS: a token in this place indicates that a resource has finished its operation and is waiting to be released.

TET: the occurrence of this transition indicates that the resource has failed. Therefore the routes involving it must be rescheduled according to the arc function frmm . This transition occurs only if the guard is evaluated to be true.

Figure 11: Rescheduling for Case 3

Figure 12: Rescheduling for Case 4

TET1: this transition, together with the place PVS and the output arc function frcc reschedules sub-products from the entry buffers from a cell with a faulty resource to a different cell with the replica.

The function frmm inserts in the head of list the element containing the resource r_j that is a replica of resource r_i. The occurrence of the transition TET deposits a token in place PSM which is the entry place for transitions TSM and TPM. The occurrence of any one of these transitions removes the head of the list, then the next resource to be allocated will be r_j. Observe that the occurrence of transition TET removes tokens from place PEM and deposits tokens in place PSM. Thus, in the case of a resource failure, the sub-products cannot access the resource.

We have detailed the model of the supervisor considering faults within a cell (for Case 1). We do not detail the rescheduling of routes for the remaining three cases considered in this paper.

It is important to point out that the rescheduling of a route in the supervisor does not correspond to commands for the transportation system. Commands are sent to transportation system only when a valid route is defined, so that the faulty resource is bypassed. In the example discussed, the command for the transportation system will be to move parts from the entry buffer ebm₄ of machine m₄ to the entry buffer ebm₃ of machine m₃, and also from the entry buffer ebc₂ for cell c₂ to the entry buffer ebm₃ of machine m₃ instead of the entry buffer of machine m₄.

Figure 13: Rescheduling of route h₂ due to a fault in r₄

Figure 14: Fault tolerant CPN model

4.3 Backward Recovery

During the production, the resource periodically establishes checkpoints for the current operation. In this case, the checkpoints are necessary in order to guarantee that a a faulty resource after repair continues the operation from the most recent checkpoint whenever this is possible. In order to illustrate this checkpoint mechanisms consider Figure 15, where it is assumed that the resource r₄ had failed while manufacturing subproduct₂. Observe that sides a, b, and c of subproduct₂ were finished before the failure. As shown in this figure, the failure had occurred while starting to cut the face of subproduct₂. Let us assume that a checkpoint is made whenever a face is cut, then when a resource fails and it is afterwards fixed, the operation restarts from this checkpoint.

Figure 15: Back-up data for checkpoint for resource r₄

5 Conclusion

We have proposed an approach for modeling the supervisor for Flexible Manufacturing Systems (FMS). The approach is based on the concepts of routes and Petri nets.

The concepts introduced in this paper have been exemplified using a manufacturing system and the models with and without fault-tolerance have been verified using the Design-CPN [12] environment. Based on this verification, we were able to certify the correct direction of the proposed approach. Details related with the verification were omitted due to space limitations.

The proposed approach allows the designer to control the complexity of the description of the model of a supervisor for an FMS. We have shown that this model can be very complex when using Place/Transition nets. To overcome this problem we have shown how Colored Petri nets can help in obtaining a more compact model with the same desired behavior.

Considering the necessity to deal with faults, we have introduced an approach to introduce fault tolerant characteristics in the model of the supervisor, based on resource replicas and route rescheduling. The objective is to guarantee that the system can continue delivering the specified services even in the presence of resource failures. Two cases were considered: forward recovery and backward recovery.

Current investigations are on the integration of the transportation system model to the supervisor, also considering fault tolerance and in detailing a methodology to model a supervisor for an FMS.

References

[1] Adlemo A., Andreasson S. A., and M. I. Johansson M.I. Fault tolerance strategies in an existing fms instalation. Control Engineering Practice, 1(1):127 - 134, 1993. [2] Zimmermann A. Modeling of manufacturing systems and production routes using colored petri nets. Proc. of the 3rd IASTED Int. Conf. on Robotics and Manufacturing, Cancun, Mexico, pp 380 - 383, 1995. [3] T.C. Barros, A. Perkusich, and J.C.A. de Figueiredo. Alocação de recursos e tolerância a faltas em sistemas flexíveis de manufatura utilizando redes de petri coloridas. In Anais do VII Simpósio Brasileiro de Computadores Tolerantes a Falhas, pp 153 - 167, Campina Grande, PB, Brasil, July 1997. [4] T.C. Barros, A. Perkusich, and J.C.A. de Figueiredo. A Colored petri net based approach for resource allocation and fault tolerance for flexible manufacturing systems.In Proc. of 2nd Workshop on Manufacturing and Petri Nets, 18th Int. Conference on Application and Theory of Petri Nets, pp 77 - 96, Toulouse,France, 1997. [5] F. Belli and K.-E. Grosspeitsch. Specification of fault-tolerant systems issues by predicate/transitions nets and regular expressions-approach and case study. IEEE Transactions on Software Engineering, 17(6):513 - 526, 1991. [6] P.R. Chintamaneni, P. Jalote, Y.B. Shieh, and S.K. Tripathi. On fault tolerance in manufacturing systems. IEEE Network, 2(3):32 - 39, 1988. [7] F.A. de Figueiredo, J.C.A. de Figueiredo, A. Perkusich, and F.M. de Assis. Tolerância a falhas em sistemas de software utilizando códigos convolucionais. In Anais do VII Simpósio Brasileiro de Computadores Tolerantes a Falhas, pp 195 - 209, Campina Grande, PB, Brasil, 1997. [8] J.C.A. de Figueiredo and A. Perkusich. Faults and timing analysis in real-time distributed systems: A fuzzy time petri-net-based approach. International Journal Fuzzy Sets and Systems, 83(2):143 - 168, 1996. [9] R. de Lemos, A. Saeed, and T. Anderson. Analysis of timeliness in safety-critical systems. In J. Vytopil, editor, Formal Techniques in Real-Time Fault-Tolerant Systems. Lecture Notes in Computer Science 571, pp 571 - 592. Springer-Verlag, 1992. [10] B. Lennartson and M. Fabian. Control of manufacturing systems: An object oriented approach (revised version). Technical Report R91 - 18, Chalmers University of Technology, Control Engineering Laboratory, Gotenborg, Sweden, 1991. [11] L. Alexander, M. Neville and H. Baosheng. Task decomposition and allocation problems and discrete event systems. Pergamon, Automatica, 30(2):203 - 216, 1994. [12] K. Jensen.Colored Petri Nets: Basic Concepts, Analysis, Methods and Practical Use. EACTS - Monographs on Theoretical Computer Science. Springer-Verlag, 1992. [13] N.G. Levenson. Software safety: Why, what, and how. ACM Computing Surveys, 18(2):125 - 163, June 1986. [14] N.G. Leveson and J.L. Stolzy. Safety analysis using petri nets. IEEE Transactions on Software Engineering, SE-13(3):386 - 397, March 1987. [15] T. Murata. Petri nets: Properties, analysis and applications. Proc. of the IEEE, 77(4):541 - 580, April 1989. [16] A. Perkusich, J.C.A. de Figueiredo, and S.K Chang. Embedding fault-tolerant properties in the design of complex systems. Journal of Systems and Software, 2(25):23 - 37, 1994. [17] Y. Shieh, D. Ghosal, P.R. Chintamaneni, and K. Tripathi. Application of petri net models for the evaluation of fault-tolerant techniques in distributed systems. Technical Report Series CS-TR-2128, University of Maryland, College Park, Maryland, 20742, USA, October 1988. [18] M. Silva. Las Redes de Petri: en la Automática y la Informática. Editorial AC, 1985. [19] M. Silva and R. Valette. Petri nets and flexible manufacturing.In Lecture Notes in Computer Science, pp 374 - 417. Springer-Verlag, 1989. Advances in Petri Nets. [20] University of Aarhus, Aarhus, Denmark. Design CPN - Overview of CPN ML Syntax, version 3.0, 1996. [21] R. Valette, M. Corvousier, and C. Desclaux. Putting petri nets to work for controlling flexible manufacturing systems. In Proc. of IEEE International Symposium on Circuits and Systems, ISCAS 85, Kyoto, Japan, 1985.

^*

The first author is a Doctorate student at COPELE/DEE/CCT/UFPB. The authors would like to thank the financial support of CAPES as a scholarship for the first author, and to CNPQ for the partial financial support in the form of grants 300722/90-7 and 300904/94-0 for the second and third authors.

Publication Dates

Publication in this collection
07 Oct 1998
Date of issue
Nov 1997

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.